Securing Apache/PHP in Shared Hosting Environments

Every couple of years I get interested in figure out how to build a new shared hosting platform, like the one we used to run on AusGamers back in the day – we hosted over a thousand websites for things like gaming clans, hobby sites, and so on. We had a great, simple system that a few people hacked on that automatically provisioned an Apache setup, MySQL databases, and email stuff. It was basic, but it did the job and meant we were able to easily provide a system to host all those sites, which we did on a single box.

This service was completely free and not considered mission criticial; security was something we were vaguely concerned about but never really spent a lot of time on it. My big concern was the PHP processing side – on most shared hosting platforms, PHP runs in the context of the Apache process, so if you’re not really careful with your permissions you can end up creating issues between your various sites.

So every few years I rack my brain to try to remember what options I looked at last time. This time, I’m going to write them down as I come across them so I can find them again easily when I repeat the process.

The solutions I am most interested in are the ones that let Apache run with only certain permissions based on who owns the files – so you can, for example, have multiple web roots, each owned by a different uid/gid (so sites have their own user account in the host operating system), and PHP’s access is limited to each directory as it executes as that user.

Here’s what I’ve found so far, in rough order of what I’m going to try:

MPM-ITK – non-threaded so more stable but performance hit. Each vhost runs with its own uid/gid. Available in most major distro repositories (including Debian/Ubuntu). Runs as root. Last update: Apr 2009.

suPHP – Apache module + setuid root binary that changes the uid of the process running a PHP script. Last update: Mar 2009.

Peruser MPM – run each Apache process as its own uid/gid. Apparently has better performance under some circumstances, may need to use non-threaded version for better stability. Last update: Oct 2007.

muxmpm/metuxmpm – refers to this page which is a 404, no other readily available information.

Possibly to be used in conjunction with PHP’s open_basedir directive.